System log showing massive traffic

[cdikland]

What in the world is all this?? I am getting 5 of these per second. All of them from differrent sources. Below are some of the truncated records from the system log.

Mar 1 12:54:51 kernel: DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: SRC=50.99.230.70 DST=My-Wan-IP LEN=52
Mar 1 12:54:51 kernel: DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: SRC=92.236.87.226 DST=My-Wan-IP LEN=48
Mar 1 12:54:52 kernel: DROP IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: SRC=71.107.35.43 DST=My-Wan-IP LEN=48


I got on my PC and my network connection was down to a crawl. Switch main router (and IP) to recover. I then rebooted the router of the above log but the traffic keeps on coming??? Help!!!!


Asus RT-AC68U 3.0.0.4.374.39 (Merlin build)

 

[alan_smithee]

maybe this can help?
http://forums.smallnetbuilder.com/archive/index.php?t-7916.html

 

[cdikland]

maybe this can help?
http://forums.smallnetbuilder.com/archive/index.php?t-7916.html

Thank you for the response. 1 big difference with my situation is the total number of unique ip addresses. Like I stated above. I was getting sometime up to 5 new records/second and each address was different. It seemed like some busy website suddenly directed all their traffic to my IP address.


I managed to get it to stop by turning off WAN on my router, going though the setup which gave me a new IP. With the new IP this excessive traffic stopped. Sure would like to know what caused this.

 

[cdikland]

Well so much for a new IP address. Started all up again. 14 hits in 1 seconds, each IP is unique.
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=162.156.141.160
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=94.254.51.212
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=154.20.122.78
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=92.53.54.241
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=184.75.221.42
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=71.56.66.176
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=87.109.32.182
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=179.181.142.247
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=176.10.249.2
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=196.210.140.61
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=188.49.41.116
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=94.96.193.59
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=58.168.21.143
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=188.49.41.116

If I take the AC68U offline and replace it with my N66U (same modem, same ISP) the problem goes away. WTF?

 

[jlake]

Have you considered updating to the latest firmware?

 

[cdikland]

Have you considered updating to the latest firmware?

I thought I had the latest (merlin build). Which were you referring to.?

 

[RMerlin]

Well so much for a new IP address. Started all up again. 14 hits in 1 seconds, each IP is unique.
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=162.156.141.160
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=94.254.51.212
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=154.20.122.78
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=92.53.54.241
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=184.75.221.42
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=71.56.66.176
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=87.109.32.182
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=179.181.142.247
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=176.10.249.2
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=196.210.140.61
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=188.49.41.116
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=94.96.193.59
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=58.168.21.143
Mar 1 19:51:52 kernel: DROP IN=eth0 OUT= MAC=00:00 SRC=188.49.41.116

If I take the AC68U offline and replace it with my N66U (same modem, same ISP) the problem goes away. WTF?

Quite often this happens if you used a bittorrent client for a while, then you closed it down. Hundred of torrent clients that still have your IP will try to reconnect back to you.

What you see here is merely your firewall rejecting connections that are targeted at unopened ports. Nothing to worry about, it's part of the normal background noise that constitute the Internet. I recommend keeping logging disabled so all these connection attempts won't impact your performance as the router would try to log them all.

 

[Adamm]

Quite often this happens if you used a bittorrent client for a while, then you closed it down. Hundred of torrent clients that still have your IP will try to reconnect back to you.

What you see here is merely your firewall rejecting connections that are targeted at unopened ports. Nothing to worry about, it's part of the normal background noise that constitute the Internet. I recommend keeping logging disabled so all these connection attempts won't impact your performance as the router would try to log them all.

I also made an addition to the routers default firewall to block all these IP's rather then log them. I also get this to from thousands of spam based IP's.

To run this script you will need to have optware installed on your device first (install then uninstall download master for ARM devices).

In SSH run the following;

wget -O /opt/bin/firewall http://198.23.248.102/firewall%20ac.sh
chmod +x /opt/bin/firewall

Then edit your /jffs/scripts/firewall-start file to look like the following;

#!/bin/sh
echo "0 * * * * /opt/bin/firewall save" > /var/spool/cron/crontabs/admin
[ -n "`pidof crond`" ] && killall -q crond

sleep 1
crond
sh /opt/bin/firewall

Reboot and enjoy automatic IP banning

There are also some other functions I added for blocking individual IP's, countries and whitelisting /24's which is all explained at the top of the file.

##############################
#####Commands / Variables#####
##############################
UNBANSINGLE="unban" # <-- Remove Single IP From Blacklist
UNBANALL="unbanall" # <-- Unbans All IPs In Blacklist
REMOVEBANS="removeall" # <-- Remove All Entries From Blacklist
SAVEIPSET="save" # <-- Save Blacklists to /opt/tmp/ipset.txt
BANSINGLE="ban" # <-- Adds Entry To Blacklist
BANCOUNTRYSINGLE="country" # <-- Adds entire country to blacklist
BANCOUNTRYLIST="bancountry" # <-- Bans specified countries in this file
WHITELIST="whitelist" # <-- Add IPs from path to Whitelist
HIDEMYASS="hideme" # <-- Switch to unrestricted DNS (tunlr.net)
FINDMYASS="findme" # <-- Switch to Bigpond DNS (Default)
BACKUPRULES="backup" # <-- Backup IPSet Rules to /opt/tmp/ipset2.txt / Checks for firmware updates
##############################

 

[cdikland]

Thanks everyone for your response. Wifie had uTorrent running and even after shutting it down the traffic kept coming. I took Rmerlin's suggestion and shutdown the logging after which my problem disappeared